It was possible to bypass the "validate_ajax_request" function used to control access to ajax functions by sending a request without a nonce parameter. This could be used to upload arbitrary code to an image file. Although the uploaded file must be a valid image, it is possible to include PHP code in a valid image, which would be executed if included using the vulnerability in CVE-2020-35942
Ramuel Gall
Ramuel Gall
No
2021-02-08 (about 1 years ago)
2021-02-08 (about 1 years ago)
2021-02-09 (about 1 years ago)